1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

497 Commits

Author SHA1 Message Date
Matthias Dieter Wallnöfer
fd4061dadd s4:dcesrv_samr - Add more checks for invalid levels
Add more checks on valid levels, mark unimplemented ones as "UNSUPPORTED" and
otherwise as "INVALID_INFO_CLASS" to be safe.
2009-11-10 16:26:23 +01:00
Matthias Dieter Wallnöfer
c9df4a3c28 s4:dcesrv_samr_ValidatePassword - naturally this was only for debugging the failure 2009-11-06 15:21:56 +01:00
Matthias Dieter Wallnöfer
7cf98abd03 s4:dcesrv_samr_ValidatePassword - adapt call to "samdb_check_password"
I've forgotten that PIDL converts UTF16 parameters automatically back to the
UNIX charset (in most cases UTF16). So I don't have to do this here.
2009-11-06 15:19:40 +01:00
Matthias Dieter Wallnöfer
6afee5f130 s4:dcesrv_samr_ValidatePassword - I forgot to create an out buffer 2009-11-06 15:19:39 +01:00
Matthias Dieter Wallnöfer
3372e2a0cc s4:dcesrv_samr - Implement "dcesrv_samr_ValidatePassword" using my new check password call
This implements a very basic method for password validation using my new
"samdb_check_password" call.
2009-11-05 12:43:03 +01:00
Stefan Metzmacher
a07eb08870 s4:dcesrv_samr: always use mem_ctx as initial parent for samr_*_state
We always steal the state to the policy handle on success,
but untill then keep it on the short term context.

metze
2009-10-24 11:59:16 +02:00
Andrew Tridgell
4ad0397d8a s4-ldbwrap: added re-use of ldb contexts in ldb_wrap_connect()
This allows us to reuse a ldb context if it is open twice, instead
of going through the expensive process of a full ldb open. We can
reuse it if all of the parameters are the same.

The change relies on callers using talloc_unlink() or free of a parent
to close a ldb context.
2009-10-23 14:52:17 +11:00
Andrew Tridgell
98e4393df9 s4-dsdb: create a static system_session context
This patch adds a system_session cache, preventing us from having to
recreate it on every ldb open, and allowing us to detect when the same
session is being used in ldb_wrap
2009-10-23 14:52:17 +11:00
Andrew Bartlett
a0a787ad78 s4:rpc_server Ensure we talloc_free handles when we delete objects
If we don't talloc_free the handle, we leak the memory onto the long-term
context.

Andrew Bartlett
2009-10-21 22:43:56 +11:00
Andrew Bartlett
fcbe6163f6 s4:samr Don't leak the whole user onto the long-term handle
The user entry is only required for this function, so use
mem_ctx to hold it.

Andrew Bartlett
2009-10-21 22:43:56 +11:00
Matthias Dieter Wallnöfer
c183acc782 s4:dcesrv_samr - add another constant 2009-10-13 17:29:52 +02:00
Matthias Dieter Wallnöfer
6b91a2ad8e s4:dcesrv_samr - prevent "ldb_modify" on a possibly empty message
In this code part under certain circumstances we can end up with an empty message.
Since our new behaviour denies them (like the real AD) we need to bypass them
on LDB modify calls.
2009-10-13 00:53:47 +02:00
Matthias Dieter Wallnöfer
7c53386adf s4:dcesrv_samr - Add additional "talloc_free"s 2009-10-13 00:53:47 +02:00
Matthias Dieter Wallnöfer
6e19a9e05d s4:dcesrv_samr - Cosmetics
Make more use of constants and add some braces around "if" blocks
2009-10-13 00:53:25 +02:00
Matthias Dieter Wallnöfer
607ceff234 s3/s4 - Adapt the IDL changes on various locations 2009-10-08 09:50:19 +02:00
Andrew Tridgell
caa9e3ff8e s4-samr: fake up a samr_ValidatePassword response
mdw is working on the correct call to check the password strength
2009-10-02 16:02:42 +10:00
Andrew Tridgell
1261d694f0 more include minimisation 2009-09-19 14:12:01 -07:00
Matthias Dieter Wallnöfer
ad244f7252 s4:samr - Fix up the SAMR server to support the primary group of a user in the right way
When doing some tests with the NT User Manager for Domains on s4 I noticed that the
handling of the primary group for a user wasn't correct. So I fixed this.

Also some cosmetic changes (tab indent corrections).
2009-09-07 08:37:24 +02:00
Günther Deschner
05fbe0c7f7 libds: merge the UF<->ACB flag mapping functions.
Guenther
2009-07-13 15:36:07 +02:00
Günther Deschner
8db45607f8 libds: share UF_ flags between samba3 and 4.
Guenther
2009-07-13 15:36:06 +02:00
Volker Lendecke
68e3442922 Move a comment where it belongs 2009-05-30 18:27:13 +02:00
Andrew Bartlett
227553f904 Win2k3 don't allow creating of domain trust accounts over SAMR 2009-05-29 17:12:06 +10:00
Andrew Bartlett
6ef65389fd Don't use crossRef records to find our own domain
A single AD server can only host a single domain, so don't stuff about
with looking up our crossRef record in the cn=Partitions container.
We instead trust that lp_realm() and lp_workgroup() works correctly.

Andrew Bartlett
2009-05-26 12:37:09 +10:00
Andrew Tridgell
2bf1e8b5e1 cope with lanman auth being disabled in old password change code
When lanman auth is disabled and a user calls a password change
method that requires it we should give NT_STATUS_NOT_SUPPORTED
2009-05-25 13:39:56 +10:00
Andrew Bartlett
0d4bd2c397 s4:samr Use ldb_context * rather than void * 2009-04-23 12:19:10 +02:00
Jelmer Vernooij
94069bd274 s4: Use same function signature for convert_* as s3. 2009-03-01 19:55:46 +01:00
Jelmer Vernooij
9ffb6d2d9e Add allow_badcharcnv argument to all conversion function, for
consistency with Samba 3.
2009-03-01 06:33:40 +01:00
Matthias Dieter Wallnöfer
91bfd5f201 s4-samr: Fix Bug #5946. userparameters handling in samr server.
Signed-off-by: Günther Deschner <gd@samba.org>
2008-12-10 00:07:25 +01:00
Günther Deschner
4bcf8edcf8 s4-samr: fix samr callers after SAMR_FIELD_PASSWORD change.
Guenther
2008-12-05 14:27:03 +01:00
Günther Deschner
ce01168158 s4-samr: fix s4 samr server after idl change.
Guenther
2008-12-05 14:27:03 +01:00
Günther Deschner
01b6eee69f s4-samr: use samr_DomainServerState in samr server.
Guenther
2008-12-02 00:37:39 +01:00
Günther Deschner
09998ab89d s4-samr: merge samr_QueryUserInfo{2} from s3 idl. (fixme: python)
Guenther
2008-11-10 21:46:31 +01:00
Günther Deschner
15e011564a s4-samr: merge samr_QueryGroupInfo from s3 idl. (fixme python)
Guenther
2008-11-10 21:46:30 +01:00
Günther Deschner
0548642e5b s4-samr: merge samr_QueryAliasInfo from s3 idl. (fixme: python)
Guenther
2008-11-10 21:46:30 +01:00
Günther Deschner
99c2fac6b2 s4-samr: merge samr_EnumDomainGroups from s3 idl. (fixme: python)
Guenther
2008-11-10 21:46:30 +01:00
Günther Deschner
1ea97d76ed s4-samr: merge samr_EnumDomainUsers from s3 idl. (fixme: python)
Guenther
2008-11-10 21:46:30 +01:00
Günther Deschner
d4d9a73ad1 s4-samr: merge samr_EnumDomains from s3 idl. (fixme: python)
Guenther
2008-11-10 21:46:30 +01:00
Günther Deschner
bb1d7684d2 s4-samr: merge samr_LookupDomain from s3 idl. (fixme: python)
Guenther
2008-11-10 21:46:30 +01:00
Günther Deschner
61391d0ade s4-samr: merge samr_LookupNames from s3 idl. (fixme: python)
Guenther
2008-11-10 21:46:30 +01:00
Günther Deschner
2efec54b8d s4-samr: merge samr_EnumDomainAliases from s3 idl. (fixme: python)
Guenther
2008-11-10 21:46:29 +01:00
Günther Deschner
aaca059a35 s4-samr: merge samr_QueryDisplayInfo from s3 idl. (fixme: python)
Guenther
2008-11-10 21:46:29 +01:00
Günther Deschner
3a9b42fa75 s4-samr: merge samr_QueryDisplayInfo2 from s3 idl. (fixme: python)
Guenther
2008-11-10 21:46:29 +01:00
Günther Deschner
bab255f09b s4-samr: merge samr_QueryDisplayInfo3 from s3 idl. (fixme: python)
Guenther
2008-11-10 21:46:29 +01:00
Günther Deschner
68a2ca11dc s4-samr: merge samr_GetGroupsForUser from s3 idl. (fixme: python)
Guenther
2008-11-10 21:46:29 +01:00
Günther Deschner
f7dfea32fc s4-samr: merge samr_QueryDomainInfo from s3 idl. (fixme python)
Guenther
2008-11-10 21:46:29 +01:00
Günther Deschner
9774927947 s4-samr: merge samr_QueryGroupMember from s3 idl. (fixme: python)
Guenther
2008-11-10 21:46:28 +01:00
Günther Deschner
a2a26da899 s4-samr: merge samr_Connect5 from s3 idl. (fixme python)
Guenther
2008-11-10 21:46:28 +01:00
Günther Deschner
8f1559c350 s4-samr: merge samr_GetDomPwInfo from s3 idl. (fixme: python)
Guenther
2008-11-10 21:46:28 +01:00
Günther Deschner
f42f1ae5a8 s4-samr: merge samr_GetUserPwInfo from s3 idl. (fixme: python)
Guenther
2008-11-10 21:46:27 +01:00
Günther Deschner
94b7db1fb4 s4-samr: merge samr_RidToSid from s3 idl. (fixme: python)
Guenther
2008-11-10 21:46:27 +01:00
Günther Deschner
5ce30d0f4d s4-samr: merge samr_QuerySecurity from s3 idl. (fixme: python)
Guenther
2008-11-10 21:46:27 +01:00
Günther Deschner
93c6129c99 s4-samr: merge samr_LookupRids from s3 idl.
Guenther
2008-11-10 21:46:27 +01:00
Günther Deschner
e0a6e3b23b s4-samr: merge samr_ChangePasswordUser3 from s3 idl.
Guenther
2008-11-10 21:46:26 +01:00
Günther Deschner
244dee6275 s4-samr: prepare for Query.*Info calls: change macros.
Guenther
2008-11-10 21:46:26 +01:00
Günther Deschner
9888ed1d9b s4-samr: merge samr_UserInfo20 from s3 idl.
This must not be treated as a normal string (strlen truncates it).

Guenther
2008-11-10 21:46:25 +01:00
Andrew Bartlett
31158c0256 Use ldb_dn_from_ldb_val() to create a DN in the SAMR server
The previous code incorrectly cast an ldb_val into a char *.

Andrew Bartlett
2008-11-04 16:06:57 +11:00
Andrew Bartlett
9381a78c39 Use ldb_dn_from_ldb_val to avoid possible over-run of the value.
The ldb_val is length-limited, and while normally NULL terminated,
this avoids the chance that this particular value might not be, as
well as avoiding a cast.

Andrew Bartlett
2008-11-04 16:06:56 +11:00
Jelmer Vernooij
37d885c51a Remove iconv_convenience argument from convert_string{,talloc}() but
make them wrappers around convert_string{,talloc}_convenience().
2008-10-24 14:26:46 +02:00
Andrew Bartlett
99315a19be Fix errrors in new password handling code found by RPC-SAMR.
I'm very glad we have such a comprehensive testsuite for the SAMR
password change process, as it makes this a much easier task to get
right.

Andrew Bartlett
2008-10-17 12:41:02 +11:00
Andrew Bartlett
7c88ea8aad Create a 'straight paper path' for UTF16 passwords.
This uses a virtual attribute 'clearTextPassword' (name chosen to
match references in MS-SAMR) that contains the length-limited blob
containing an allegidly UTF16 password.  This ensures we do no
validation or filtering of the password before we get a chance to MD4
it.  We can then do the required munging into UTF8, and in future
implement the rules Microsoft has provided us with for invalid inputs.

All layers in the process now deal with the strings as length-limited
inputs, incluing the krb5 string2key calls.

This commit also includes a small change to samdb_result_passwords()
to ensure that LM passwords are not returned to the application logic
if LM authentication is disabled.

The objectClass module has been modified to allow the
clearTextPassword attribute to pass down the stack.

Andrew Bartlett
2008-10-16 12:48:16 +11:00
Günther Deschner
11ecd5acfd s4: merge from s3 samr.idl.
Guenther
2008-10-15 17:42:33 +02:00
Jelmer Vernooij
9565999755 Fix include paths to new location of libutil. 2008-10-11 21:31:42 +02:00
Jelmer Vernooij
6925202bde Move source4/lib/crypto to lib/crypto. 2008-09-24 15:30:23 +02:00
Simo Sorce
508527890a Merge ldb_search() and ldb_search_exp_fmt() into a simgle function.
The previous ldb_search() interface made it way too easy to leak results,
and being able to use a printf-like expression turns to be really useful.
2008-09-23 18:17:46 -04:00
Andrew Bartlett
c39d1b829b Remove unused parameter from decode_pw_buffer and fail on invalid
UTF-16 input

The input checking is important, as otherwise we could set the wrong
password.

Andrew Bartlett
2008-09-22 17:50:43 -07:00
Andrew Bartlett
d626a26374 Rename structures to better match the names in the WSPP IDL.
The 'comment' element in a number of domain structures is called
oem_information.  This was picked up actually because with OpenLDAP
doing the schema checking, it noticed that 'comment' was not a valid
attribute.

The rename tries to keep this consistant in both the LDB mappings and
IDL, so we don't make the same mistake in future.

This has no real schema impact, as this value isn't actually used for
anything, as 'comment' was not used in the provision.

Andrew Bartlett
(This used to be commit 65dc0d5365)
2008-07-21 13:42:07 +10:00
Jelmer Vernooij
21fc767378 Specify event_context to ldb_wrap_connect explicitly.
(This used to be commit b4e1ae07a2)
2008-04-17 12:23:44 +02:00
Andrew Bartlett
9a6422b695 Rework our SAMR test and SAMR server.
Now that we don't create users/domain groups/aliases in the builtin
domain, we hit some bugs in the server-side implementation of the
enumeration functions.

In essence, it turns out to be: don't treat 0 as a special case.

Also, fix up the PDC name to always be returned.  I'm sure nothing
actually uses it, particularly for BUILTIN...

Andrew Bartlett
(This used to be commit 353bb79f56)
2008-03-14 12:26:03 +11:00
Andrew Bartlett
80f7e9e081 Rework SAMR functions to avoid gendb_search()
The gendb_*() API does not return error codes, and mixes error returns
with the count of returned entries.

Andrew Bartlett
(This used to be commit facbc8dfa5)
2008-03-13 17:26:01 +11:00
Andrew Bartlett
0c88240236 Rework to have member server 'domains' be CN=NETBIOSNAME
This reworks quite a few parts of our provision system to use
CN=NETBIOSNAME as the domain for member servers.

This makes it clear that these domains are not in the DNS structure,
while complying with our own schema (found by OpenLDAP's schema
validation).

Andrew Bartlett
(This used to be commit bda6a38b05)
2008-03-13 11:36:58 +11:00
Andrew Bartlett
227cecadf9 Check for and reject invalid account flags.
(lest we have an account set with 0 flags)

Andrew Bartlett
(This used to be commit 7a46e72f8d)
2008-02-28 10:05:32 +11:00
Andrew Bartlett
5043215f21 Generate ACB_PW_EXPIRED correctly
More correctly handle expired passwords, and do not expire machine accounts.

Test that the behaviour is consistant with windows, using the RPC-SAMR test.

Change NETLOGON to directly query the userAccountControl, just because
we don't want to do the extra expiry processing here.

Andrew Bartlett
(This used to be commit acda1f69bc)
2008-02-28 08:50:00 +11:00
Andrew Bartlett
5df2ac18e7 Print out the reason we can't delete the user in SAMR.
We need to be far more granular bout this - in particular, we need a
decide LDAP -> NTSTATUS conversion.

Andrew Bartlett
(This used to be commit 30fc3752c7)
2008-01-16 15:48:28 +11:00
Jelmer Vernooij
0500b87092 r26540: Revert my previous commit after concerns raised by Andrew.
(This used to be commit 6ac86f8be7)
2007-12-21 05:52:06 +01:00
Jelmer Vernooij
3e75f222bc r26539: Remove unnecessary statics.
(This used to be commit e53e79eebe)
2007-12-21 05:52:05 +01:00
Jelmer Vernooij
6c77f353d3 r26328: remove more uses of global_loadparm.
(This used to be commit 40ae12c086)
2007-12-21 05:48:41 +01:00
Jelmer Vernooij
41db2ab12c r26319: Split encoding functions out of libcli_ldap.
(This used to be commit 95a6ef7fc8)
2007-12-21 05:48:33 +01:00
Jelmer Vernooij
2f5ca872a8 r26313: Fix more uses of static loadparm.
(This used to be commit 6fd0d9d3b7)
2007-12-21 05:48:25 +01:00
Jelmer Vernooij
57f20ccd24 r26296: Store loadparm context in DCE/RPC server context.
(This used to be commit fc1f4d2d65)
2007-12-21 05:48:13 +01:00
Jelmer Vernooij
509e82e402 r26272: Remove global_loadparm in some more places.
(This used to be commit 1ab76ecc53)
2007-12-21 05:47:55 +01:00
Jelmer Vernooij
43696d2752 r26252: Specify loadparm_context explicitly when creating sessions.
(This used to be commit 7280c1e941)
2007-12-21 05:47:29 +01:00
Jelmer Vernooij
f4a1083cf9 r26227: Make loadparm_context part of a server task, move loadparm_contexts further up the call stack.
(This used to be commit 0721a07aad)
2007-12-21 05:47:04 +01:00
Andrew Bartlett
25143a2648 r26135: Remove samdb_add(), samdb_delete() and samdb_modify(), which were just
wrappers to ldb_add() etc.  samdb_replace() remains, as it sets flags on
all entries as 'replace'.

Andrew Bartlett
(This used to be commit 09c0faa5b7)
2007-12-21 05:46:17 +01:00
Jelmer Vernooij
ca0b72a1fd r26003: Split up DB_WRAP, as first step in an attempt to sanitize dependencies.
(This used to be commit 56dfcb4f2f)
2007-12-21 05:45:40 +01:00
Jelmer Vernooij
05e7c48146 r25553: Convert to standard bool type.
(This used to be commit b7371f1a19)
2007-10-10 15:07:54 -05:00
Jelmer Vernooij
37d53832a4 r25398: Parse loadparm context to all lp_*() functions.
(This used to be commit 3fcc960839)
2007-10-10 15:07:25 -05:00
Andrew Bartlett
6a30131b8b r25052: This missing 'break' caused problems on 32 bit platforms only, due to
alignment of the union.

Sorry for the time it took to test and fix this.

Andrew Bartlett
(This used to be commit 5b893fc6f5)
2007-10-10 15:05:51 -05:00
Jelmer Vernooij
ffeee68e4b r25026: Move param/param.h out of includes.h
(This used to be commit abe8349f9b)
2007-10-10 15:05:38 -05:00
Andrew Bartlett
7c81e6d21c r24973: Try to make it really clear we are dealing with 64 bit numbers here.
Andrew Bartlett
(This used to be commit 9aae9b1d24)
2007-10-10 15:03:43 -05:00
Andrew Bartlett
466bd44a46 r24942: Patch from Matthias Wallnöfer <mwallnoefer@yahoo.de> and a testsuite
to prove it is correct.

This should fix bug #4824: User Manager for Domains - Account Expires.

Thanks!

Andrew Bartlett
(This used to be commit e5f0744d62)
2007-10-10 15:03:41 -05:00
Andrew Bartlett
d7f84b51f9 r24611: Following up on the re-opening of bug 4817 is it pretty clear that
machine accounts are not subject to password policy in Win2k3 R2 (at
least in terms of password quality).

In testing this, I found that Win2k3 R2 has changed the way the old
ChangePassword RPC call is handled - the 'cross-checks' between new LM
and NT passwords are not required.

Andrew Bartlett
(This used to be commit 417ea885b4)
2007-10-10 15:02:23 -05:00
Andrew Bartlett
bd705012b8 r24082: Following the removal of a fanstsy condition from the SAMR testsuite,
allow the server side to enumerate all domain controllers and domain
members...

Andrew Bartlett
(This used to be commit d42150ff0a)
2007-10-10 15:01:24 -05:00
Andrew Bartlett
008b840760 r24080: Set the primary group (matching windows) when creating new users in
SAMR.  This can't be done in the ldb templates code, as it doesn't
happen over direct LDAP.

As noted in bug #4829.

Andrew Bartlett
(This used to be commit 3bfa6dbf7d)
2007-10-10 15:01:23 -05:00
Andrew Bartlett
fe60cd993d r24059: Fix bug 4822 reported by Matthias Wallnöfer <mwallnoefer@yahoo.de>.
Any SAMR client (usrmgr.exe in this case) that attempted to set a
property to a zero length string found instead the the old value was
kept.

In fixing this, rework the macros to be cleaner (add the
always-present .string) to every macro, and remove the use of the
samdb_modify() and samdb_replace() wrappers where possible.

Andrew Bartlett
(This used to be commit b05fe69304)
2007-10-10 15:01:20 -05:00
Andrew Bartlett
41ab04e37c r24053: Ensure we filter EnumDomainUsers with the supplied mask.
Should fix another part (list of domains in usrmgr incorrectly
including accounts) of bug #4815 by mwallnoefer@yahoo.de.

Andrew Bartlett
(This used to be commit 7f7e4fe298)
2007-10-10 15:01:19 -05:00
Andrew Bartlett
32d55960b5 r24052: Fix some of the NT4 usrmgr.exe portions of bug 4815.
- The icons in usermgr were incorrect, because the acct_flags were
   not filled in (due to missing attribute in ldb query)

 - The Full name was missing, and the description used as the full
   name (due to missing attributes in ldb query and incorrect IDL)

To prove the correctness of these fixes, I added a substantial new
test to RPC-SAMR-USERS, to ensure cross-consistancy between
QueryDisplayInfo and QueryUserInfo on each user.

This showed that for some reason, we must add ACB_NORMAL to the
acct_flags on level 2 queries (for machine trust accounts)...

Getting this right is important, because Samba3's RPC winbind methods
uses these queries.

Andrew Bartlett
(This used to be commit 9475d94a61)
2007-10-10 15:01:19 -05:00
Andrew Bartlett
1cc770fc58 r23815: Thanks to Matthias Wallnoefer <mwallnoefer@yahoo.de> for pointing out
that we had the wrong objectClass for OU=Domain
Controllers,${DOMAINDN} (was CN=Domain Controllers,${DOMAINDN})

This fixes both the SAMR server and the LDIF templates.

Andrew Bartlett
(This used to be commit 625a9e6c04)
2007-10-10 14:59:22 -05:00
Andrew Tridgell
0479a2f1cb r23792: convert Samba4 to GPLv3
There are still a few tidyups of old FSF addresses to come (in both s3
and s4). More commits soon.
(This used to be commit fcf38a38ac)
2007-10-10 14:59:12 -05:00
Andrew Bartlett
c74ad3546c r23365: Try to make Windows Vista join again. On my new test environment, it
wants to check for an existing domain join account, and fails.  This
test shows that we need to return NT_STATUS_NONE_MAPPED when nothing
matches.  (not yet tested if this helps vista).

Andrew Bartlett
(This used to be commit 7f3671bf11)
2007-10-10 14:53:12 -05:00
Stefan Metzmacher
3b14713f6d r21362: rename:
"ntPwdHash" => "unicodePwd"
"lmPwdHash" => "dBCSPwd"
"sambaLMPwdHistory" => "lmPwdHistory"
"sambaNTPwdHistory" => "ntPwdHistory"

Note: you need to reprovision after this change!

metze
(This used to be commit dc4242c09c)
2007-10-10 14:48:20 -05:00
Jelmer Vernooij
64e88a8ccf r20850: Prefix all server calls with dcesrv_
(This used to be commit 76c78b0339)
2007-10-10 14:43:39 -05:00
Andrew Bartlett
d471e52d23 r20149: Remove the smb.conf distinction between PDC and BDC. Now the correct
way to setup a Samba4 DC is to set 'server role = domain controller'.

We use the fSMORoleOwner attribute in the base DN to determine the PDC.

This patch is quite large, as I have corrected a number of places that
assumed taht we are always the PDC, or that used the smb.conf
lp_server_role() to determine that.

Also included is a warning fix in the SAMR code, where the IDL has
seperated a couple of types for group display enumeration.

We also now use the ldb database to determine if we should run the
global catalog service.

In the near future, I will complete the DRSUAPI
DsGetDomainControllerInfo server-side on the same basis.

Andrew Bartlett
(This used to be commit 67d8365e83)
2007-10-10 14:29:15 -05:00
Simo Sorce
ea212eb00f r20034: Start using ldb_search_exp_fmt()
(This used to be commit 4f07542143)
2007-10-10 14:28:51 -05:00
Simo Sorce
9ae017588c r19903: This is a cut&paste error for sure
there is no ongoing transaction in this code
(This used to be commit 93b738b111)
2007-10-10 14:28:34 -05:00
Stefan Metzmacher
304653e052 r19902: give better errors...
metze
(This used to be commit b4d7d49c27)
2007-10-10 14:28:33 -05:00
Simo Sorce
a9e31b33b5 r19832: better prototypes for the linearization functions:
- ldb_dn_get_linearized
  returns a const string

- ldb_dn_alloc_linearized
  allocs astring with the linearized dn
(This used to be commit 3929c086d5)
2007-10-10 14:28:22 -05:00
Simo Sorce
4889eb9f7a r19831: Big ldb_dn optimization and interfaces enhancement patch
This patch changes a lot of the code in ldb_dn.c, and also
removes and add a number of manipulation functions around.

The aim is to avoid validating a dn if not necessary as the
validation code is necessarily slow. This is mainly to speed up
internal operations where input is not user generated and so we
can assume the DNs need no validation. The code is designed to
keep the data as a string if possible.

The code is not yet 100% perfect, but pass all the tests so far.
A memleak is certainly present, I'll work on that next.

Simo.
(This used to be commit a580c871d3)
2007-10-10 14:28:22 -05:00
Rafal Szczesniak
6c4bc15f3b r19256: add missing infolevel and fields to SetUserInfo call
that's why ntsrv and win2k3 srv could pass the net test
and we could not...

rafal
(This used to be commit 60ade8ddbd)
2007-10-10 14:20:58 -05:00
Andrew Bartlett
bd0245bbd6 r18775: Performing an ldb op of 'do nothing' is pointless, and breaks against
OpenLDAP.

Andrew Bartlett
(This used to be commit 9ce88a8917)
2007-10-10 14:19:10 -05:00
Andrew Bartlett
4de4af0942 r18416: We need to look for both builtinDomain and domain, in the OpenDomain call.
Andrew Bartlett
(This used to be commit 5525baf521)
2007-10-10 14:18:25 -05:00
Andrew Bartlett
1be5dc9837 r18409: Make sure to print a DEBUG message if this LDB search fails.
Andrew Bartlett
(This used to be commit 6419ef09b1)
2007-10-10 14:18:24 -05:00
Andrew Bartlett
f093527819 r18252: Make sure to NULL terminate these lists of attributes.
Andrew Bartlett
(This used to be commit 8cddcdb7c7)
2007-10-10 14:17:56 -05:00
Jelmer Vernooij
0329d755a7 r17930: Merge noinclude branch:
* Move dlinklist.h, smb.h to subsystem-specific directories
 * Clean up ads.h and move what is left of it to dsdb/
   (only place where it's used)
(This used to be commit f7afa1cb77)
2007-10-10 14:16:54 -05:00
Andrew Tridgell
b21b119cbc r17824: add a wrapper for the common partitions_basedn calculation
(This used to be commit 09007b0907)
2007-10-10 14:16:45 -05:00
Andrew Tridgell
0fd9807942 r17823: get rid of most of the samdb_base_dn() calls, as they are no longer
needed in searches
(This used to be commit a5ea749f0a)
2007-10-10 14:16:45 -05:00
Simo Sorce
a23b63a8e5 r17516: Change helper function names to make more clear what they are meant to do
(This used to be commit ad75cf8695)
2007-10-10 14:15:31 -05:00
Andrew Bartlett
f2e8b3202c r16827: Factor out some code into common samdb functions:
- creation of ForeignSecurityPrincipals
 - template duplication code

Rework much of the LSA server to pass the RPC-LSA test.  Much of the
server code was untested.  In implementing the LSA Accounts feature, I
have opted to have it only create entires when privilages are applied,
and not to delete entries, but to delete the privilages.

We skip some parts of the test, but it is much better than not testing
it at all.

Andrew Bartlett
(This used to be commit 10eeea6da4)
2007-10-10 14:09:48 -05:00
Andrew Bartlett
3c9281f014 r16794: Make Samba4 pass it's own RPC-SAMR test, at least in part. There are
still a couple of unimplemented functions, but this is far better than
not testing this at all.  In particular, this exercises the
password_hash module.

Specific changes:
 - Add support for SetDomainInfo
 - Add many more info levels to QueryDomainInfo
 - Set a domain comment in RPC-SAMR, and verify it is kept
 - Refactor QueryUserInfo not to always serach for all attributes
 - Add QueryDiplayInfo3 and QueryDomainInfo2 as aliased calls
 - Make OemChangePassword2 search under the samdb_base_dn(), so it
   finds the user when partitions are active.
 - Skip SetSecurity, DisplayIndex, MemberAttributesOfGroup and
  'Multiple' alias operations in RPC-SAMR for Samba4
 - Add RPC-SAMR as a 'slow' RPC test (it is quite slow)

Andrew Bartlett
(This used to be commit 01d25c9d6c)
2007-10-10 14:09:46 -05:00
Andrew Bartlett
fcce0991c2 r16773: Fix one more RPC-SAMR test (an alias level), and make it clear that
the unknown value in the samr_GroupInfo structures are the group
attributes.

Andrew Bartlett
(This used to be commit c50095efab)
2007-10-10 14:09:45 -05:00
Andrew Bartlett
937e394334 r16772: Clarify comment.
Andrew Bartlett
(This used to be commit fee0716143)
2007-10-10 14:09:45 -05:00
Andrew Bartlett
ad530af48d r16262: Another basedn fix.
Andrew Bartlett
(This used to be commit abf104a0d7)
2007-10-10 14:09:08 -05:00
Andrew Bartlett
7c3af0d06a r16236: Add a proper baseDN to a large number of queries. Searching the NULL
baseDN won't work once the partitions module is loaded.

Andrew Bartlett
(This used to be commit c4ab9e8a75)
2007-10-10 14:09:07 -05:00
Andrew Bartlett
5f44da36e7 r16166: Remove hexidecimal constants from the Samba4 provision files.
This change is required for compatibility with the OSX client, in
particular, but returning 0x80000002 rather than -2147483646 violates
what LDAP clients expect in general.

Andrew Bartlett
(This used to be commit 81f3cd1c45)
2007-10-10 14:09:03 -05:00
Jelmer Vernooij
e002300f23 r15328: Move some functions around, remove dependencies.
Remove some autogenerated headers (which had prototypes now autogenerated by pidl)
Remove ndr_security.h from a few places - it's no longer necessary
(This used to be commit c19c2b51d3)
2007-10-10 14:05:17 -05:00
Stefan Metzmacher
1af925f394 r14860: create libcli/security/security.h
metze
(This used to be commit 9ec706238c)
2007-10-10 13:59:44 -05:00
Jelmer Vernooij
84f07e56a4 r14570: Move some functions also they are also used from kpasswd
(This used to be commit 89dfb74894)
2007-10-10 13:58:48 -05:00
Jelmer Vernooij
8528016978 r14464: Don't include ndr_BASENAME.h files unless strictly required, instead
try to include just the BASENAME.h files (containing only structs)
(This used to be commit 3dd477ca51)
2007-10-10 13:57:27 -05:00
Stefan Metzmacher
568e77ed23 r14438: fix warnings
metze
(This used to be commit 83d2978da1)
2007-10-10 13:57:24 -05:00
Jelmer Vernooij
e3f2414cf9 r14380: Reduce the size of structs.h
(This used to be commit 1a16a6f1df)
2007-10-10 13:57:16 -05:00
Jelmer Vernooij
4ac2be9958 r13924: Split more prototypes out of include/proto.h + initial work on header
file dependencies
(This used to be commit 1228358767)
2007-10-10 13:52:24 -05:00
Andrew Bartlett
61fe79d022 r13910: Fix the 'your password has expired' on every login. We now consider
if the 'password does not expire' flag has been set, filling in the
PAC and netlogon reply correctly if so.

Andrew Bartlett
(This used to be commit c530ab5dc6)
2007-10-10 13:52:22 -05:00
Jelmer Vernooij
ba564a901e r13903: Don't generate prototypes for modules and binaries in include/proto.h by
default.
(This used to be commit c80a8f1102)
2007-10-10 13:52:21 -05:00
Andrew Bartlett
ff90c1c5c3 r12720: By metze's request, rename the ntPwdHistory attribute to
sambaNTPassword.  Likewise lmPwdHistory -> sambaLMPwdHistory.

The idea here is to avoid having conflicting formats when we get to
replication.  We know the base data matches, but we may need to use a
module to munge formats.

Andrew Bartlett
(This used to be commit 8e608dd4bf)
2007-10-10 13:49:45 -05:00
Andrew Bartlett
4bfe2907e7 r12719: Rename unicodePwd -> sambaPassword.
Because we don't know the syntax of unicodePwd, we want to avoid using
that attribute name.  It may cause problems later when we get
replication form windows.

I'm doing this before the tech preview, so we don't get too many
supprises as folks upgrade databases into later versions.

Andrew Bartlett
(This used to be commit 097d9d0b7f)
2007-10-10 13:49:45 -05:00
Andrew Bartlett
cc37197079 r12684: A better error code for SAMR transaction failures.
Andrew Bartlett
(This used to be commit 9c127f35ce)
2007-10-10 13:49:38 -05:00
Jelmer Vernooij
d4de4c2d21 r12608: Remove some unused #include lines.
(This used to be commit 70e7449318)
2007-10-10 13:49:03 -05:00
Andrew Bartlett
c82c9fe7bb r12599: This new LDB module (and associated changes) allows Samba4 to operate
using pre-calculated passwords for all kerberos key types.
(Previously we could only use these for the NT# type).

The module handles all of the hash/string2key tasks for all parts of
Samba, which was previously in the rpc_server/samr/samr_password.c
code.  We also update the msDS-KeyVersionNumber, and the password
history.  This new module can be called at provision time, which
ensures we start with a database that is consistent in this respect.

By ensuring that the krb5key attribute is the only one we need to
retrieve, this also simplifies the run-time KDC logic.  (Each value of
the multi-valued attribute is encoded as a 'Key' in ASN.1, using the
definition from Heimdal's HDB.  This simplfies the KDC code.).

It is hoped that this will speed up the KDC enough that it can again
operate under valgrind.
(This used to be commit e902274321)
2007-10-10 13:49:01 -05:00
Jelmer Vernooij
2cd5ca7d25 r12542: Move some more prototypes out to seperate headers
(This used to be commit 0aca5fd513)
2007-10-10 13:47:55 -05:00
Andrew Bartlett
9b67a07e62 r12507: This file has had my grubby paws all over it ;-)
Andrew Bartlett
(This used to be commit 865a2552e6)
2007-10-10 13:47:47 -05:00
Andrew Bartlett
40166d7ecb r12506: Fix up issues shown up by the expanded RPC-SAMR testsuite, and add ldb
transactions to the SAMR password change code.

Andrew Bartlett
(This used to be commit dc091c6c06)
2007-10-10 13:47:47 -05:00
Andrew Bartlett
9a3be162b8 r12504: Fix one more transaction cancel bail-out path, and correct comments.
Andrew Bartlett
(This used to be commit 07b885d0c7)
2007-10-10 13:47:46 -05:00
Andrew Bartlett
90535d31c6 r12503: This function was just too simple to leave unimplemented.
Andrew Bartlett
(This used to be commit 2eebd7b3cf)
2007-10-10 13:47:46 -05:00
Andrew Bartlett
6cb5cda53b r12432: Re-indent and consistantly cancel the transaction.
Andrew Bartlett
(This used to be commit 2c8b988eb8)
2007-10-10 13:47:38 -05:00
Andrew Bartlett
77f4910b57 r12427: Move SAMR CreateUser2 to transactions, and re-add support for
different computer account types.  (Earlier code changes removed the
BDC case).

We don't use the TemplateDomainController, so just have a
TemplateServer in provision_templates.ldif

Andrew Bartlett
(This used to be commit c4520ba2e6)
2007-10-10 13:47:37 -05:00
Andrew Bartlett
bceca72304 r12361: Add a new function: ldb_binary_encode_string()
This is for use on user-supplied arguments to printf style format
strings which will become ldb filters.  I have used it on LSA, SAMR
and the auth/ code so far.

Also add comments to cracknames code.

Andrew Bartlett
(This used to be commit 8308cf6e04)
2007-10-10 13:47:30 -05:00
Andrew Bartlett
d0375cfd43 r11438: Move enum samr_RejectReason into misc.idl so I can use it in a global
prototype.

Andrew Bartlett
(This used to be commit a3abffc758)
2007-10-10 13:45:37 -05:00
Andrew Bartlett
9f67256383 r11221: I don't quite know how I tested this before, but clearly I didn't.
The samdb_set_password_sid helper function now works.

Andrew Bartlett
(This used to be commit 629595f27c)
2007-10-10 13:45:04 -05:00
Andrew Bartlett
02c32587a8 r11195: Add a new helper function (needed by my kpasswdd work, but hooked in
for netlogon as well) to change/set a user's password, given only
their SID.

This avoids the callers doing the lookups, and also performs the
actual 'set', as these callers do not wish any further buisness with
the entry.

Andrew Bartlett
(This used to be commit 060a2a7bcc)
2007-10-10 13:44:59 -05:00
Andrew Tridgell
36d73b0e71 r10894: make the handling of dn/distinguishedName much closer to real
ldap. Also ensure we put a objectclass on our private ldb's, so they
have some chance of being stored in ldap if you want to
(This used to be commit 1af2cc067f)
2007-10-10 13:39:40 -05:00
Andrew Bartlett
1377cca5f4 r10810: This adds the hooks required to communicate the current user from the
authenticated session down into LDB.  This associates a session info
structure with the open LDB, allowing a future ldb_ntacl module to
allow/deny operations on that basis.

Along the way, I cleaned up a few things, and added new helper functions
to assist.  In particular the LSA pipe uses simpler queries for some of
the setup.

In ldap_server, I have removed the 'ldasrv:hacked' module, which hasn't
been worked on (other than making it continue to compile) since January,
and I think the features of this module are being put into ldb anyway.

I have also changed the partitions in ldap_server to be initialised
after the connection, with the private pointer used to associate the ldb
with the incoming session.

Andrew Bartlett
(This used to be commit fd7203789a)
2007-10-10 13:39:32 -05:00
Andrew Bartlett
9b905c9f27 r9930: Use a single samdb_base_dn() function rather than lots of silly
searches all over the place.

This can be extended to cover an NT4 (no ADS) mode in future as well.

Andrew Bartlett
(This used to be commit 0761b22f99)
2007-10-10 13:36:23 -05:00
Simo Sorce
61aaf82b62 r9654: introduce the samdb_search_dn call
(This used to be commit 333ebb40d5)
2007-10-10 13:34:38 -05:00
Simo Sorce
ac90ddfdb2 r9392: Fix ldb_dn_compose to make build farm happy
Add ldb_dn_string_compose so that you can build a dn starting from a
struct ldb_dn base and a set of parameters to be composed in a format
string with the same syntax of printf
(This used to be commit 31c69d0655)
2007-10-10 13:33:33 -05:00
Simo Sorce
3e4c4cff21 r9391: Convert all the code to use struct ldb_dn to ohandle ldap like distinguished names
Provide more functions to handle DNs in this form
(This used to be commit 692e35b779)
2007-10-10 13:33:32 -05:00
Andrew Bartlett
e0cc4f0f6d r9015: Fix access to BUILTIN again.
Andrew Bartlett
(This used to be commit 2beb694226)
2007-10-10 13:31:08 -05:00
Andrew Bartlett
e7d87f8538 r9011: Remove more references to "name" as a netbios name, using the
cross-reference instead.

Andrew Bartlett
(This used to be commit 0f7b1136f6)
2007-10-10 13:31:07 -05:00
Andrew Bartlett
cf54bfbabf r8983: The KVNO (Kerberos key version number) should be incremented with
every password set.

Andrew Bartlett
(This used to be commit 71958cb19f)
2007-10-10 13:31:03 -05:00
Andrew Bartlett
66b2a04346 r8790: Finish the migration of aliases and privilages with SamSync, by adding
templating support for foreignSecurityPrincipals to the samdb module.
This is an extension beyond what microsoft does, and has been very
useful :-)

The setup scripts have been modified to use the new template, as has
the SAMR and LSA code.

Other cleanups in LSA remove the assumption that the short domain name
is the first component of the realm.

Also add a lot of useful debug messages, to make it clear how/why the
SamSync may have gone wrong.  Many of these should perhaps be hooked
into an error string.

Andrew Bartlett
(This used to be commit 1f071b0609)
2007-10-10 13:30:05 -05:00
Andrew Bartlett
f3f9e09d6d r8670: Remove GUID code from SAMR, it is handled lower down now. I notice
this code also does string SIDs, but I'm not quite sure where that
fits in.

Andrew Bartlett
(This used to be commit 968bcc4fe8)
2007-10-10 13:29:52 -05:00
Andrew Tridgell
e835621799 r8520: fixed a pile of warnings from the build farm gcc -Wall output on
S390. This is an attempt to avoid the panic we're seeing in the
automatic builds.

The main fixes are:

 - assumptions that sizeof(size_t) == sizeof(int), mostly in printf formats

 - use of NULL format statements to perform dn searches.

 - assumption that sizeof() returns an int
(This used to be commit a58ea6b385)
2007-10-10 13:29:34 -05:00
Stefan Metzmacher
557c78e36d r8370: remove the '$' from in the cn: attribute for computer and dc accounts
metze
(This used to be commit 206f33778e)
2007-10-10 13:20:12 -05:00
Stefan Metzmacher
0b92507760 r8232: remove samr_String and netr_String as they are the same as lsa_String
metze
(This used to be commit e601042c07)
2007-10-10 13:19:22 -05:00
Andrew Bartlett
9a7481bcfe r7993: Further work on the Krb5 PAC.
We now generate the PAC, and can verifiy both our own PAC and the PAC
from Win2k3.

This commit adds the PAC generation code, spits out the code to get
the information we need from the NETLOGON server back into a auth/
helper function, and adds a number of glue functions.

In the process of building the PAC generation code, some hints in the
Microsoft PAC specification shed light on other parts of the code, and
the updates to samr.idl and netlogon.idl come from those hints.

Also in this commit:

The Heimdal build package has been split up, so as to only link the
KDC with smbd, not the client utils.

To enable the PAC to be veified with gensec_krb5 (which isn't quite
dead yet), the keyblock has been passed back to the calling layer.

Andrew Bartlett
(This used to be commit e2015671c2)
2007-10-10 13:18:57 -05:00
Andrew Tridgell
bdee131f30 r7860: switch our ldb storage format to use a NDR encoded objectSid. This is
quite a large change as we had lots of code that assumed that
objectSid was a string in S- format.

metze and simo tried to convince me to use NDR format months ago, but
I didn't listen, so its fair that I have the pain of fixing all the
code now :-)

This builds on the ldb_register_samba_handlers() and ldif handlers
code I did earlier this week. There are still three parts of this
conversion I have not finished:

 - the ltdb index records need to use the string form of the objectSid
   (to keep the DNs sane). Until that it done I have disabled indexing on
   objectSid, which is a big performance hit, but allows us to pass
   all our tests while I rejig the indexing system to use a externally
   supplied conversion function

 - I haven't yet put in place the code that allows client to use the
   "S-xxx-yyy" form for objectSid in ldap search expressions. w2k3
   supports this, presumably by looking for the "S-" prefix to
   determine what type of objectSid form is being used by the client. I
   have been working on ways to handle this, but am not happy with
   them yet so they aren't part of this patch

 - I need to change pidl to generate push functions that take a
   "const void *" instead of a "void*" for the data pointer. That will
   fix the couple of new warnings this code generates.

Luckily it many places the conversion to NDR formatted records
actually simplified the code, as it means we no longer need as many
calls to dom_sid_parse_talloc(). In some places it got more complex,
but not many.
(This used to be commit d40bc2fa8d)
2007-10-10 13:18:44 -05:00
Andrew Bartlett
3e73885ba4 r7756: Don't segfault by trying to search for the NULL DN, if the wrong
password was entered.  We would not use the results of the search in
any case.

Andrew Bartlett
(This used to be commit edeb908aca)
2007-10-10 13:18:31 -05:00
Simo Sorce
9189833a87 r7582: Better way to have a fast path searching for a specific DN.
Old way was ugly and had a bug, you couldn't add an attribute named
dn or distinguishedName and search for it, tdb would change that search in a dn search.
This makes it also possible to search by dn against an ldap server as the old method was
not supported by ldap syntaxes.

sss
(This used to be commit a614466dec)
2007-10-10 13:18:11 -05:00
Andrew Tridgell
694488d29c r7507: fixed the problem with users being shown too many times in acl
editors, and added a test for it.
(This used to be commit 9e428881f6)
2007-10-10 13:18:02 -05:00
Andrew Bartlett
bb6e2059ee r6544: Use common structures between SAMR, NETLGON and the Krb5 PAC.
Fill out the group list for the SamLogon reply, so clients get the
supplementary groups.

Andrew Bartlett
(This used to be commit d9c31e60a7)
2007-10-10 13:16:24 -05:00
Simo Sorce
fe4d985b6f r6470: Remove ldb_search_free() it is not needed anymore.
Just use talloc_free() to release the memory after an ldb_search().
(This used to be commit 4f0948dab0)
2007-10-10 13:11:40 -05:00
Tim Potter
6bb0231229 r6325: Rename aliasname -> alias_name in CreateDomAlias function.
(This used to be commit 63dfa9b806)
2007-10-10 13:11:32 -05:00
Simo Sorce
5487ee5e9c r6084: - Introduce the samldb module dependency on samba4
- This module will take care of properly filling an user or group object
  with required fields. You just need to provide the dn and the objectclass
  and a user/group get created

  Simo.
(This used to be commit fb9afcaf53)
2007-10-10 13:11:18 -05:00
Andrew Bartlett
79f6bcd5ae r5988: Fix the -P option (use machine account credentials) to use the Samba4
secrets system, and not the old system from Samba3.

This allowed the code from auth_domain to be shared - we now only
lookup the secrets.ldb in lib/credentials.c.

In order to link the resultant binary, samdb_search() has been moved
from deep inside rpc_server into lib/gendb.c, along with the existing
gendb_search_v().  The vast majority of this patch is the simple
rename that followed,

(Depending on the whole SAMDB for just this function seemed pointless,
and brought in futher dependencies, such as smbencrypt.c).

Andrew Bartlett
(This used to be commit e13c671619)
2007-10-10 13:11:12 -05:00
Andrew Bartlett
5aa2646be8 r5879: Rename SAMR_FIELD_WORKSTATION to SAMR_FIELD_WORKSTATIONS - it is a list.
Andrew Bartlett
(This used to be commit 7822101cb5)
2007-10-10 13:11:06 -05:00
Andrew Bartlett
d830fcd7d1 r5783: Test renaming of accounts in the RPC-SAMR test, and add support into
the SAMR server.

Andrew Bartlett
(This used to be commit fd748f9d2f)
2007-10-10 13:11:03 -05:00
Jelmer Vernooij
c52fb55903 r5437: Allow Samba4 to be compiled by tcc (www.tinycc.org). It still crashes when linking though.
(This used to be commit 2e1e8db6dc)
2007-10-10 13:10:45 -05:00
Tim Potter
abc28d66e9 r5364: Rename string fields called 'domain' and 'name' to be 'domain_name'.
(This used to be commit 6749b9404d)
2007-10-10 13:09:46 -05:00
Andrew Tridgell
a0e6f6c05b r5309: removed ads.h from includes.h
(This used to be commit 196c45b834)
2007-10-10 13:09:40 -05:00
Andrew Tridgell
e82aad1ce3 r5298: - got rid of pstring.h from includes.h. This at least makes it a bit
less likely that anyone will use pstring for new code

 - got rid of winbind_client.h from includes.h. This one triggered a
   huge change, as winbind_client.h was including system/filesys.h and
   defining the old uint32 and uint16 types, as well as its own
   pstring and fstring.
(This used to be commit 9db6c79e90)
2007-10-10 13:09:38 -05:00
Andrew Tridgell
465e089dd3 r5080: patch from ronnie to make our samr IDL a little more consistent
(This used to be commit 7607ddda3f)
2007-10-10 13:09:20 -05:00
Andrew Tridgell
759da3b915 r5037: got rid of all of the TALLOC_DEPRECATED stuff. My apologies for the
large commit. I thought this was worthwhile to get done for
consistency.
(This used to be commit ec32b22ed5)
2007-10-10 13:09:15 -05:00
Andrew Tridgell
737a000d2c r4745: remove the distinguishedName attribute adds from samr. See the
discussion on samba-technical about this.
(This used to be commit e9dff03f79)
2007-10-10 13:08:49 -05:00
Stefan Metzmacher
c0b55c0e3b r4715: alwys add the distinguishedName attribute
the w2k3 dc join needs that

metze
(This used to be commit 29bc75ba28)
2007-10-10 13:08:47 -05:00
Stefan Metzmacher
9178e7b8bf r4707: w2k3 don't restict passwords on
netr_ServerPasswordSet and netr_ServerPasswordSet2

so we do now

I also add a torture test for this

metze
(This used to be commit d896ac603a)
2007-10-10 13:08:46 -05:00
Andrew Bartlett
e54964c618 r4703: Add support for EnumTrustDomain, and expand the testsuite.
Add my copyright to the SAMR server.

Andrew Bartlett
(This used to be commit 51e94fa26c)
2007-10-10 13:08:45 -05:00
Andrew Bartlett
c0571f6234 r4698: - Initial implementation of trusted domains in LSA.
- Use templates for Secrets and the new trusted domains

 - Auto-add modifiedTime, createdTime and objectGUID to records in the
   samdb layer.

Andrew Bartlett
(This used to be commit 271c8faadf)
2007-10-10 13:08:44 -05:00
Andrew Bartlett
fdebf9dd4c r4680: Make more efficient use of memory in SAMR:
Avoid a strdup, use a talloc_reference
 Use the shortest term memory context possible

Andrew Bartlett
(This used to be commit 5569db0f94)
2007-10-10 13:08:42 -05:00
Stefan Metzmacher
fd4831f1f0 r4650: - make more use of bitmap and enum's
- move some structs out of misc.idl

metze
(This used to be commit b6543a6e30)
2007-10-10 13:08:39 -05:00
Andrew Tridgell
577218b2ad r4640: first stage in the server side support for multiple context_ids on one pipe
this stage does the following:

 - simplifies the dcerpc_handle handling, and all the callers of it

 - split out the context_id depenent state into a linked list of established contexts

 - fixed some talloc handling in several rpc servers that i noticed while doing the above
(This used to be commit fde042b3fc)
2007-10-10 13:08:38 -05:00
Andrew Tridgell
4db9496bb4 r4490: when implementing one rpc server call in terms of another call, you
must zero r.out before making the 2nd call if the 2nd call has any
non-ref out parameters. This is needed for the case where the 2nd call
fails, and the 1st call would then fill in its out fields based on
uninitialised memory.
(This used to be commit 202470326d)
2007-10-10 13:08:12 -05:00
Andrew Tridgell
54c63eb7e4 r4487: fixed the use of ldb_msg_add_*() in the samr password backend
(This used to be commit d79cc8b901)
2007-10-10 13:08:11 -05:00
Andrew Tridgell
500d5523d2 r4475: fixed smbd to work with the small changes in the ldb API (the most important
change was in the ldb_msg_add_*() routines, which now use the msg as a context,
and thus it needs to be a talloc ptr)
(This used to be commit 1a4713bfd0)
2007-10-10 13:07:55 -05:00
Volker Lendecke
6372b4e4a4 r4417: Reply to samr_QueryDomainInfo with the same static value as level2 does.
Volker
(This used to be commit 04cf580ef3)
2007-10-10 13:07:46 -05:00
Volker Lendecke
6aaefee85f r4415: Implement samr_RemoveMemberFromForeignDomain. This is needed to delete a user
with usrmgr.exe.

To fix: Remove domain group membership attrib values when a user is deleted.

Volker
(This used to be commit 83d180c732)
2007-10-10 13:07:46 -05:00
Volker Lendecke
8da7a60557 r4414: Various bits&pieces:
* Implement samr_search_domain, filter out all elements with no "objectSid"
  attribute and all objects outside a specified domain sid.

* Minor cleanups in dcerpc_samr.c due to that.

* Implement srvsvc_NetSrvGetInfo level 100. A quick hack to get usrmgr.exe
  one step further.

* Same for samr_info_DomInfo1.

Volker
(This used to be commit cdec896113)
2007-10-10 13:07:46 -05:00
Volker Lendecke
b386af06d0 r4399: Implement samr_GetAliasMembership and samr_GetGroupsForUser. With these two,
usrmgr.exe seems to become usable. Some quirks, but it's worth a try.

Volker
(This used to be commit 9c62a239cd)
2007-10-10 13:07:43 -05:00
Volker Lendecke
4fd56d5d1a r4393: Trivial bugfix for a silly bug
(This used to be commit ae3c329e9d)
2007-10-10 13:07:42 -05:00
Volker Lendecke
03a914931e r4381: Add my copyright
(This used to be commit 9e27a83ac3)
2007-10-10 13:07:40 -05:00
Volker Lendecke
a7a1fada8d r4380: Implement samr_QueryDisplayInfo. This probably needs some polishing (Do we
have to sort the entries?)

Volker
(This used to be commit 26d21bb5cc)
2007-10-10 13:07:40 -05:00
Volker Lendecke
e08d8505d2 r4378: Implement samr_EnumDomainGroups and samr_EnumDomainAliases.
Hmmm. How do I tell ldb not to descend into cn=Builtin?

Volker
(This used to be commit c95d20cd7c)
2007-10-10 13:07:40 -05:00
Volker Lendecke
e14a5a9167 r4376: Implement samr_AddAliasMember, samr_DeleteAliasMember and
samr_GetMembersInAlias.

Volker
(This used to be commit 78802720ae)
2007-10-10 13:07:40 -05:00
Volker Lendecke
2333ea56f3 r4375: Implement samr_OpenAlias, samr_QueryAliasInfo and samr_SetAliasInfo. Fix IDL
for samr_SetAliasInfo.

Volker
(This used to be commit d70e237190)
2007-10-10 13:07:39 -05:00
Volker Lendecke
296c0d8eac r4374: Follow metzes hint, change LookupRids a bit
(This used to be commit b8fa5b9419)
2007-10-10 13:07:39 -05:00
Volker Lendecke
f0d3e9de7e r4372: Implement samr_LookupRids
(This used to be commit 1bab3254f6)
2007-10-10 13:07:39 -05:00
Volker Lendecke
77529ae792 r4367: Implement samr_AddGroupMember, samr_DeleteGroupMember and
samr_QueryGroupMember.

Volker
(This used to be commit 43581c3711)
2007-10-10 13:07:39 -05:00
Volker Lendecke
e4b8399af6 r4344: Unify memory handling in dcerpc_samr.c a bit
(This used to be commit 79ec28ade8)
2007-10-10 13:07:36 -05:00
Volker Lendecke
61b1620fc4 r4335: Fix some potential memleaks, implement CreateDomAlias. Hmmmm. Isn't there
enough stuff to do in 3_0??? ;-)

Volker
(This used to be commit c0fa7a92d9)
2007-10-10 13:07:35 -05:00
Volker Lendecke
7f773c9ae8 r4332: Fix a potential memleak.
Volker
(This used to be commit 8f2b9c9d32)
2007-10-10 13:07:35 -05:00
Stefan Metzmacher
33cbe33678 r4320: fix locations of new trusting domains and domsin controller
computer accounts

metze
(This used to be commit f75c2004a0)
2007-10-10 13:07:34 -05:00
Stefan Metzmacher
8d0c3eefbc r4096: move the samdb code to source/dsdb/
the idea is to have a directory service db layer
which will be used by the ldap server, samr server, drsuapi server
authentification...

I plan to make different implementations of this interface possible
- current default will be the current samdb code with sam.ldb
- a compat implementation for samba3 (if someone wants to write one)
- a new dsdb implementation which:
  - understands naming contexts (directory parrtitions)
  - do schema and acl checking checking
  - maintain objectGUID, timestamps and USN number,
    maybe linked attributes ('member' and 'memberOf' attributes)
  - store metadata on a attribute=value combination...

metze
(This used to be commit 893a8b8bca)
2007-10-10 13:06:26 -05:00
Andrew Tridgell
990acc9f77 r3977: fixed the lmPwdHash change in the rpc server (we were not fetching the
lm hash from the samdb, and thus not checking the verifier)

fixed the client side to calculate the lm verifier based on the nt
hash, not the lm hash (confirmed using w2k3)
(This used to be commit 27e7fb3baf)
2007-10-10 13:06:10 -05:00
Andrew Tridgell
a99bf33294 r3953: the lm verifier key in passwoed ChangePasswordUser3 is based on the nt
hash, not the lm hash
(This used to be commit 8d4f0dc7d0)
2007-10-10 13:06:07 -05:00
Andrew Tridgell
cf91ad8122 r3952: added validation of the lm and nt verifiers to our server side password change code.
(This used to be commit f70e8f02d6)
2007-10-10 13:06:07 -05:00
Andrew Bartlett
5d35fe6f71 r3885: Add security descriptor comparison to our RPC-SAMSYNC test. We now
verify that the security descriptor found in the SamSync is the same
as what is available over SAMR.

Unfortunately, the administrator seems unable to retrieve the SACL on
the security descriptor, so I've added a new function to compare with
a mask.

Andrew Bartlett
(This used to be commit 39ae5e1dac)
2007-10-10 13:06:01 -05:00
Stefan Metzmacher
856ee66537 r3810: create a LIB_SECURITY subsystem
- move dom_sid, security_descriptor, security_* funtions to one place
  and rename some of them

metze
(This used to be commit b620bdd672)
2007-10-10 13:05:56 -05:00
Andrew Bartlett
5ad5c6cc70 r3807: Cross-check the basic attributes for groups and aliases in RPC-SAMSYNC.
Andrew Bartlett
(This used to be commit 90398fda41)
2007-10-10 13:05:56 -05:00
Andrew Bartlett
9aec081fd9 r3804: Add more comparison tests in RPC-SAMSYNC.
This compares values for the domain and for secrets.  We still have
some problems we need to sort out for secrets.

Also rename a number of structures in samr.idl and netlogon.idl, to
better express their consistancy.

Andrew Bartlett
(This used to be commit 3f52fa3a42)
2007-10-10 13:05:55 -05:00
Stefan Metzmacher
fa8f1c1ffe r3788: give new accounts and groups a objectGUID
metze
(This used to be commit 4839ea156f)
2007-10-10 13:05:53 -05:00
Stefan Metzmacher
8a18778286 r3783: - don't use make proto for ldb anymore
- split ldh.h out of samba's includes.h

- make ldb_context and ldb_module private to the subsystem

- use ltdb_ prefix for all ldb_tdb functions

metze
(This used to be commit f5ee40d6ce)
2007-10-10 13:05:52 -05:00
Andrew Bartlett
50916c8f2f r3724: Rename a number of structures, for better consistance between SAMR and
NETLOGON.

In particular, rename samr_Name to samr_String - given that many
strings in this pipe are not 'names', the previous was just confusing.
(I look forward to PIDL turning these into simple char * some day...).

Also export out a few changes from testjoin.c to allow for how I have
written the new RPC-SAMSYNC test.

Andrew Bartlett
(This used to be commit 9cd666bcfb)
2007-10-10 13:05:47 -05:00
Andrew Tridgell
c051779a0a r3468: split out dcerpc_server.h
(This used to be commit 729e0026e4)
2007-10-10 13:05:17 -05:00
Andrew Tridgell
a1d0b97ed4 r3462: separate out the crypto includes
(This used to be commit 3f75117db9)
2007-10-10 13:05:16 -05:00
Andrew Tridgell
edbfc0f6e7 r3453: - split out the auth and popt includes
- tidied up some of the system includes

- moved a few more structures back from misc.idl to netlogon.idl and samr.idl now that pidl
  knows about inter-IDL dependencies
(This used to be commit 7b7477ac42)
2007-10-10 13:05:13 -05:00
Andrew Tridgell
ead3508ac8 r3447: more include/system/XXX.h include files
(This used to be commit 264ce91810)
2007-10-10 13:05:12 -05:00
Andrew Tridgell
90067934cd r3428: switched to using minimal includes for the auto-generated RPC code.
The thing that finally convinced me that minimal includes was worth
pursuing for rpc was a compiler (tcc) that failed to build Samba due
to reaching internal limits of the size of include files. Also the
fact that includes.h.gch was 16MB, which really seems excessive. This
patch brings it back to 12M, which is still too large, but
better. Note that this patch speeds up compile times for both the pch
and non-pch case.

This change also includes the addition iof a "depends()" option in our
IDL files, allowing you to specify that one IDL file depends on
another. This capability was needed for the auto-includes generation.
(This used to be commit b8f5fa8ac8)
2007-10-10 13:05:09 -05:00
Andrew Tridgell
475c958450 r3425: got rid of a bunch of cruft from rewrite.h
(This used to be commit 3f902f8d85)
2007-10-10 13:05:08 -05:00
Andrew Bartlett
8050be6ea3 r3080: Make the Samba4 SAMR server pass the new, nasty torture test (now that
SAMR_FIELD_PASSWORD has been split up).

Andrew Bartlett
(This used to be commit 5f2295a5fb)
2007-10-10 13:01:57 -05:00
Andrew Bartlett
7afe85725f r3077: Add initial handling of Account Flags in SAMR user info level 21 and 25.
Andrew Bartlett
(This used to be commit 51774a9bca)
2007-10-10 13:01:56 -05:00
Andrew Tridgell
12ea0fd34c r3005: added talloc wrappers around tdb_open() and ldb_connect(), so that the
caller doesn't have to worry about the constraint of only opening a
database a single time in a process. These wrappers will ensure that
only a single open is done, and will auto-close when the last instance
is gone.

When you are finished with a database pointer, use talloc_free() to
close it.

note that this code does not take account of the threads process
model, and does not yet take account of symlinks or hard links to tdb
files.
(This used to be commit 04e1171996)
2007-10-10 12:59:56 -05:00
Andrew Tridgell
1429ed54f1 r2792: got rid of talloc_ldb_alloc() and instead created talloc_realloc_fn(),
so talloc now doesn't contain any ldb specific functions.

allow NULL to be passed to a couple more talloc() functions
(This used to be commit 1246f80d80)
2007-10-10 12:59:34 -05:00
Andrew Tridgell
c567d64d66 r2734: the samdb_destructor can be static
(This used to be commit feb63e74f9)
2007-10-10 12:59:27 -05:00
Andrew Tridgell
aa12305945 r2680: switched the libcli/raw/ code over to use talloc_reference(), which simplifies things quite a bit
(This used to be commit c82a9cf750)
2007-10-10 12:59:21 -05:00
Andrew Tridgell
61a7dfc237 r2675: added a convenience function
void *talloc_reference(const void *context, const void *ptr);

this function makes a secondary reference to ptr, and hangs it off the
given context. This greatly simplifies some of the current reference
counting code in the samr server and I suspect it will be widely used
in other places too.

the way you use it is like this:

	domain_state->connect_state = talloc_reference(domain_state, connect_state);

that makes the element connect_state of domain_state a secondary
reference to connect_state. The connect_state structure will then only
be freed when both domain_state and the original connect_state go
away, allowing you to free them independently and in any order.

you could do this alrady using a talloc destructor, and that is what
the samr server did previously, but that meant this construct was
being reinvented in several places. So this convenience function sets
up the destructor for you, giving a much more convenient and less
error prone API.
(This used to be commit dc53150861)
2007-10-10 12:59:20 -05:00
Andrew Tridgell
f095a8e748 r2670: use a destructor to auto-close the samr ldb when the last user
disconnects. Previously the ldb was always kept open.
(This used to be commit d78eea9eb8)
2007-10-10 12:59:20 -05:00
Andrew Tridgell
223e78990a r2628: got rid of some warnings and converted a few more places to use hierarchical memory allocation
(This used to be commit 26da45a801)
2007-10-10 12:59:14 -05:00
Andrew Tridgell
1954070a7e r2592: this fixes one of the security memory leaks in the server
(This used to be commit efb2b88edd)
2007-10-10 12:59:10 -05:00
Andrew Bartlett
814cd2bc3f r2537: Add static and use strlen_m instead of str_charnum().
Andrew Bartlett
(This used to be commit f3bf57ca6b)
2007-10-10 12:59:04 -05:00
Tim Potter
0e71bf8148 r2458: Rename policy handle parameters for the SAMR pipe. Parameters now
have the handle type implied by the parameter name.  There are four
types of handle: connect, domain, user and group handles.  The
various samr_Connect functions return a connect handle, and the
samr_OpenFoo functions return a foo handle.

There is one exception - the samr_{Get,Set}Security function can
take any type of handle.

Fix up all C callers.
(This used to be commit 32f0f3154a)
2007-10-10 12:58:55 -05:00
Andrew Bartlett
15a96c4298 r2290: Fix 'lsakey' for the server-side, it is static for
'authenticated' connections.

Fix kerberos session key issues - we need to call the
routine for extracting the session key, not just read the cache.

Andrew Bartlett
(This used to be commit b80d849b6b)
2007-10-10 12:58:40 -05:00
Andrew Bartlett
d987a32c8c r2282: Remove one more magic constant from the source, replace with sizeof().
Andrew Bartlett
(This used to be commit a089bcf503)
2007-10-10 12:58:39 -05:00
Andrew Tridgell
fa419c9255 r2280: fixed the session key choice for ncacn_np and ncacn_ip_tcp in the rpc server
(This used to be commit 3b4ed24f4b)
2007-10-10 12:58:38 -05:00
Tim Potter
8293df91bc r2247: talloc_destroy -> talloc_free
(This used to be commit 6c1a72c5d6)
2007-10-10 12:58:34 -05:00
Stefan Metzmacher
275efb936f r2059: abartlet: is there a better way to fix this compiler warning
(the same problem as in -r 2056)

metze
(This used to be commit 98e4b23d45)
2007-10-10 12:58:22 -05:00
Andrew Bartlett
5e869b4eab r2055: Add PRINTF_ATTRIBUTE to many more parts of the code, and a new
--enable-developer warning for when they are missing.

Andrew Bartlett
(This used to be commit 8115e44d47)
2007-10-10 12:58:21 -05:00
Andrew Tridgell
ede02ee038 r2051: switched the samdb over to using the new destructor and reference
count features of talloc, instead of re-implementing both those
features inside of samdb (which is what we did before).

This makes samdb considerably simpler, and also fixes some bugs, as I
found some error paths that didn't call samdb_close(). Those are now
handled by the fact that a talloc_free() will auto-close and destroy
the samdb context, using a destructor.
(This used to be commit da60987a92)
2007-10-10 12:58:21 -05:00
Andrew Tridgell
b83ba93eae r1983: a completely new implementation of talloc
This version does the following:

  1) talloc_free(), talloc_realloc() and talloc_steal() lose their
     (redundent) first arguments

  2) you can use _any_ talloc pointer as a talloc context to allocate
     more memory. This allows you to create complex data structures
     where the top level structure is the logical parent of the next
     level down, and those are the parents of the level below
     that. Then destroy either the lot with a single talloc_free() or
     destroy any sub-part with a talloc_free() of that part

  3) you can name any pointer. Use talloc_named() which is just like
     talloc() but takes the printf style name argument as well as the
     parent context and the size.

The whole thing ends up being a very simple piece of code, although
some of the pointer walking gets hairy.

So far, I'm just using the new talloc() like the old one. The next
step is to actually take advantage of the new interface
properly. Expect some new commits soon that simplify some common
coding styles in samba4 by using the new talloc().
(This used to be commit e35bb094c5)
2007-10-10 12:58:14 -05:00
Stefan Metzmacher
b82881591c r1335: NT_STATUS_INTERNAL_DB_CORRUPTION
should cause DEBUG(0,(...));

metze
(This used to be commit 80851e6778)
2007-10-10 12:56:50 -05:00
Andrew Bartlett
dc9f55dbec r1294: A nice, large, commit...
This implements gensec for Samba's server side, and brings gensec up
to the standards of a full subsystem.

This means that use of the subsystem is by gensec_* functions, not
function pointers in structures (this is internal).  This causes
changes in all the existing gensec users.

Our RPC server no longer contains it's own generalised security
scheme, and now calls gensec directly.

Gensec has also taken over the role of auth/auth_ntlmssp.c

An important part of gensec, is the output of the 'session_info'
struct.  This is now reference counted, so that we can correctly free
it when a pipe is closed, no matter if it was inherited, or created by
per-pipe authentication.

The schannel code is reworked, to be in the same file for client and
server.

ntlm_auth is reworked to use gensec.

The major problem with this code is the way it relies on subsystem
auto-initialisation.  The primary reason for this commit now.is to
allow these problems to be looked at, and fixed.

There are problems with the new code:
- I've tested it with smbtorture, but currently don't have VMware and
  valgrind working (this I'll fix soon).
- The SPNEGO code is client-only at this point.
- We still do not do kerberos.

Andrew Bartlett
(This used to be commit 07fd885fd4)
2007-10-10 12:56:49 -05:00
Tim Potter
d2ac885df0 r1270: Start to break samdb into general bits so we can share code with other
similar dbs.
(This used to be commit 1162e2fcff)
2007-10-10 12:56:47 -05:00
Tim Potter
37fcf22364 r1268: varient -> variant
(This used to be commit de5984c956)
2007-10-10 12:56:46 -05:00
Stefan Metzmacher
db8c78c497 r1235: as the pidl code init all output data.
we should do it manualy too.

metze
(This used to be commit d3b80fd40a)
2007-10-10 12:56:46 -05:00